Hi Dr. Steve: can I get clarification on your note about the '...link algorithm has changed...'?
Does this refer to the hash computed over a certificate which is needed when using SSL_CTX_load_verify_locations(pCtx, NULL, path_to_verify_directory)? I discovered (and resolved) this in testing 1.0.1 recently, upgrade from 0.9.8r, I just want to confirm this is the issue you mentioned. Thanks very much. +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software Engineering EMC Corporation, 176 South St, Hopkinton MA Mail Stop 176-B1 1/P-36 office 508-249-1257, fax 508-497-8027 cell 978-500-2546 +-+-+-+-+-+-+ -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Monday, May 07, 2012 7:13 PM To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Mon, May 07, 2012, Tammany, Curtis wrote: > Now have added only the Common Policy CA at the top of the certs file. The > development site works for both the long chain and short chain users. > > I put the cert file out on the production site and the short chain users can > access the site but the long chain user can't and I saw "FAILED:unhandled > critical extension" in the log for that user... What is that? What Do I need > to do to prevent that??? > > > The only difference between the development site other than OS (XP vs. 2003) > is the version of OpenSSL. On the dev site, I have 1.0.1. On production, I > have 0.9.8r. When I upgraded OpenSSL on production to 1.0.1 (hoping to > eliminate the error above), I think I killed the site for all Win 7 boxes. I > say that because I had been able to access the production site with a test > Win 7 laptop. > > I had to put OpenSSL back to 0.9.8r. > The "unhandled critical extension" is not something you can fix with configuration. You can see which extension it is by looking at the certificate details in the wizard: critical extensions have an exclamation mark next to them. If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints extension that is the problem which isn't supported in OpenSSL 0.9.8. Does the production site have any directories of trusted certificates or are they all in a single file. I ask because the link algorithm changed in OpenSSL 1.0.0 and later and is incompatible with the 0.9.8 version. Note that you can't just update the DLLs for a new major version of OpenSSL: the applications will need to be recompiled too. You could try updating to OpenSSL 1.0.0i instead as the 1.0.1 series of OpenSSL is very new and there are several reported interop problems. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
